From 8c750708ff4ae1bdea07b8ee4047958eec085d09 Mon Sep 17 00:00:00 2001 From: hc-github-team-nomad-core <82989552+hc-github-team-nomad-core@users.noreply.github.com> Date: Fri, 11 Nov 2022 13:36:09 -0500 Subject: [PATCH] Backport of [bug] Return a spec on reconnect into release/1.4.x (#15224) This pull request was automerged via backport-assistant --- .changelog/15214.txt | 3 +++ client/allocrunner/network_manager_linux.go | 13 ++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 .changelog/15214.txt diff --git a/.changelog/15214.txt b/.changelog/15214.txt new file mode 100644 index 00000000000..222889a0151 --- /dev/null +++ b/.changelog/15214.txt @@ -0,0 +1,3 @@ +```release-note:bug +client: fixed a bug where non-`docker` tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running +``` diff --git a/client/allocrunner/network_manager_linux.go b/client/allocrunner/network_manager_linux.go index a4a08ce29ce..b435b1c8b82 100644 --- a/client/allocrunner/network_manager_linux.go +++ b/client/allocrunner/network_manager_linux.go @@ -122,7 +122,18 @@ func (*defaultNetworkManager) CreateNetwork(allocID string, _ *drivers.NetworkCr nsPath := path.Join(nsutil.NetNSRunDir, allocID) _, err := os.Stat(nsPath) if err == nil { - return nil, false, nil + // Let's return a spec that points to the tested nspath, but indicate + // that we didn't make the namespace. That will stop the network_hook + // from calling its networkConfigurator.Setup function in the reconnect + // case, but provide the spec value necessary for the network_hook's + // Postrun function to not fast exit. + spec := &drivers.NetworkIsolationSpec{ + Mode: drivers.NetIsolationModeGroup, + Path: nsPath, + Labels: make(map[string]string), + } + + return spec, false, nil } } return nil, false, err